Link's little book of essays --HCL network knowledge

Single-arm routing

Route is a single arm arranged via a logical interface on the interface of the router, to implement a method of interworking between different Vlan.
Example:

#配置SW1的VLAN
[SW1]vlan 2  
#配置端口vlan略
[SW1]int g1/0/4  
#把端口g1/0/4配制成trunk口
[SW1-GigabitEthernet1/0/4]port link-type trunk  
#配置端口允许Vlan1和vlan2通过
[SW1-GigabitEthernet1/0/4]port trunk permit vlan 1 2  

#为R1配置单臂路由
#配置子接口
[R1]int g0/0.1
#将子接口封装为dot1q协议，并且把它分配给vlan1
[R1-GigabitEthernet0/0.1]vlan-type dot1q vid 1  
#配置子接口ip地址
[R1-GigabitEthernet0/0.1]ip address 192.168.1.254 24  
[R1]int g0/0.2
[R1-GigabitEthernet0/0.2]vlan-type dot1q vid 2  
[R1-GigabitEthernet0/0.2]ip address 192.168.2.254 24  

Access Control List (ACL)

Access control packet filtering-based technique is widely used in routers and three switches.
ACL match from the quasi-order, first order matching access control rule last.
ACL directional, to control ingress / egress packet, respectively.
Example:

#配置基本ACL，使192.168.1.0不能访问192.168.2.0  
[R2]acl basic 2000  
[R2-acl-ipv4-basic-2000]rule deny source 192.168.1.0 0.0.0.255  
[R2]interface g0/2  
[R2-GigabitEthernet0/2]packet-filter 2000 outbound  
 
#配置高级ACL，使PC1可以访问server1的Telnet，但不能访问FTP，PC2反之  
[R1]acl advanced 3000  
[R1-acl-ipv4-adv-3000]rule deny tcp source 192.168.1.1 0 destination 192.168.3.1 0 destination-port range 20 21  
[R1-acl-ipv4-adv-3000]rule deny tcp source 192.168.1.2 0 destination 192.168.3.1 0 destination-port eq 23
[R1]interface g0/0  
[R1-GigabitEthernet0/0]packet-filter 3000 inbound  

#配置高级ACL，使使PC3 不能访问 SERVER1  
[R2]acl advanced 3000  
[R2-acl-ipv4-adv-3000]rule deny ip source 192.168.2.0 0.0.0.255 destination 192.168.3.1 0  
[R2]interface g0/2  
[R2-GigabitEthernet0/2]packet-filter 3000 inbound   

NAT

NAT is a way to convert private addresses to public addresses art,
NAT there are three types:

• Static NAT: IP mapping the internal network to a public network IP, a unique internal hosts occupy a public IP
• A dynamic IP address of the public network is mapped to network IP, unregistered IP addresses are mapped to register the IP address pool: dynamic NAT
• Port Mapping: mapping multiple private ip address to a different port on the public network ip address.

#配置NAPT  
[R1]acl basic 2000  
[R1-acl-ipv4-basic-2000]rule permit source 192.168.1.0 0.0.0.255  
[R1]nat address-group 1  
[R1-address-group-1]address 100.1.1.1 100.1.1.1  
[R1]interface g0/1  
[R1-GigabitEthernet0/1]nat outbound 2000 address-group 1
  
#配置EASY IP  
[R3]acl basic 2000  
[R3-acl-ipv4-basic-2000]rule permit source 192.168.1.0 0.0.0.255  
[R3]interface g0/0  
[R3-GigabitEthernet0/1]nat outbound 2000  

#配置NAT SERVER  
[R1-GigabitEthernet0/1]nat server protocol tcp global current-interface 20 21 inside 192.168.1.10 20 21 

OSPF

When ospf, link-state protocol, each server is responsible for discovering and maintaining adjacencies, and will contain a list of neighbor and link the cost of LSA packets AS (Autonomous System) periodic flooding, whenever link state changes LSA will be regenerated and send.

ospf there are concepts of the DR and BDR,
to reduce the number of packets in the network, the network may elect ospf protocol DR and BDR,
to compare the priority, the priority of the RID of the same comparison, the higher DR, followed by BDR.
All non-DR / BDR router will work with DR and BDR have established adjacency relationships, exchange LSA.

Basic Configuration

1. Configuring IP

#进入端口
int g0/2
#添加IP
ip add 100.1.1.1

1. Configuration rid

#配置RID
[R2]ospf 1 router-id 1.1.1.1

1. Declared directly connected network segment and loopback interface

#配置所属区域
[R2-ospf-1]area 0
#0 为骨干区域
[R2-ospf-1-area-0.0.0.0]network 1.1.1.1 0.0.0.0
[R2-ospf-1-area-0.0.0.0]network 100.1.1.0 0.0.0.255
#宣告另一区域的直连网段
[R2-ospf-1-area-0.0.0.0]area 1
[R2-ospf-1-area-0.0.0.1]network 100.3.3.0 0.0.0.255

Silent Interface Configuration

[R3-ospf-1]silent-interface g0/2

The introduction of a default route

[R1-ospf-1]default-route-advertise

Configuring a stub area

When the ASBR (border router) introduced a number of external routes may be set by some regions Stub (distal) region, it is not allowed in the area AS external LSA flooding. Reducing the number of packets in the region.

• When an area is configured as Stub area, all routers in the area must be configured with the stub command.
• When an area is configured to Totally Stub area, all routers must be configured with the stub area command, and wherein the ABR region of the stub no-summary configure command.

#引入静态路由
[R1-ospf-1]default-route-advertise
#配置stub
[R2-ospf-1-area-0.0.0.1]stub
[R3-ospf-1-area-0.0.0.1]stub
[R4-ospf-1-area-0.0.0.1]stub

Configure the NSSA

NSSA area is "not-so-stubby" area of shorthand, it is more operational than the stub area,
cancel the STUB restrictions on two-way propagation of the ASE (outside the region do not come into the region inside can not get out), to limit unidirectional (do not come into the region outside the region where the energy out).

#引入静态路由
[R1-ospf-1]default-route-advertise
#配置nssa
[R2-ospf-1-area-0.0.0.1]nssa
[R3-ospf-1-area-0.0.0.1]nssa
[R4-ospf-1-area-0.0.0.1]nssa

ISIS Configuration

ISIS (Intermediate System to Intermediate System) protocol is a routing protocol used in the telecommunications operators, the ISIS protocol is a standard connectionless network service design, are not directly suitable for an IP network. We often say that the ISIS protocol usually refers to apply integrated ISIS IP network.

• And OSPF difference:
  • ISIS divided area network segment, OSPF routers to the divided region (ISIS all interfaces on a router must be in the same area)
• Route type:
  • Level 0: between the terminal and the router
  • Level 1: routing within the area
  • Level 2: inter-area routes
  • level 3: Cross-Domain Routing Routing
• Router Type:
  • Level 1 Routers: internal router
  • Level 2 routers: backbone routers
  • Level 1-2 router: simultaneously connected and Level 1 Level 2 router router that

Basic Configuration

1. ISIS and configure the router start address

[R1]isis
[R1-isis-1]network-entity 10.0000.0000.0000.0001.00

1. In the port is enabled ISIS

[R1]int g0/0
[R1-GigabitEthernet0/0]isis enable 1

1. Configuring the router type L1

[R1]isis
[R1-isis-1]is-level level-1

1. L1 adjacency configuration
   required ports are disposed on both ends of the segment

[R2]int g0/1
[R2-GigabitEthernet0/1]isis circuit-level level-1
[R3]int g0/1
[R3-GigabitEthernet0/1]isis circuit-level level-1

Set the routing overhead

[R1]int g0/0
[R1-GigabitEthernet0/0]isis co 5

Configure Route Leaking

Route infiltration will not pass specific routes to L1 L2 router will only advertise a default route to the L1 routing

[R2]isis
[R2-isis-1]address-family ipv4
[R2-isis-1-ipv4]import-route isis level-2 into level-1 

Configure routing verification

Needs are disposed on both ends of the port

[R2]int g0/2
[R2-GigabitEthernet0/2]isis authentication-mode simple plain 123456
[R3]int g/2
[R3-GigabitEthernet0/2]isis authentication-mode simple plain 123456

Configuring BGP

Border Gateway Protocol BGP is a routing protocol used between a plurality of AS. AS keepalive by maintaining the adjacency relationship.

Small-scale private network IGP (RIP, ospf), large-scale private networks with IBGP, Internet use EBGP.

• IBGP(Interior BGP)
  • In the same BGP AS connection
  • IBGP run inside an AS, no AS_PATH, so do not forward from IBGP routes to other IBGP of
  • The default does not modify the next hop routing, direct routing forwarding
• EBGP(Exterior BGP)
  • BGP connections between different AS
  • EBGP filtered through AS_PATH and other elements from their own route
  • The next-hop routing will be modified and then forwarded

1. EBGP modifies the next hop routing, and then forwards; and IBGP does not modify the default next-hop routing, direct routing and forwarding.
   • However, if three AS, AS1, AS2 and AS3, they are connected end to end, AS2 in the middle.
     There AS1 R1 and R2, AS2 have R3, AS3 have R4 and R5, wherein between R2, R3, R4 is connected through EBGP, and R1 and R2, R4 and R5 are connected by IBGP.
     Since IBGP will not modify the next hop address, the next hop address R1 is R3, but because there is no direct connection between R1 and R3, so the corresponding routes will be marked as invalid routes.
     Then you need to connect when R3 R1, R2 IBGP modify the default behavior on the set next-hop-self, let IBGP when the transfer route, the next-hop routing change yourself.
2. Learned by IBGP route, it can not be passed to other IBGP.
   • Because not forward, it requires all IBGP routers are all adjacent to each other to establish relationships, to form a fully connected network, but this will give management and configuration cause problems.
   • There are two ways to solve the above problem, BGP reflection and BGP confederation .

Basic Configuration

AS100: Rl
the AS200: R2 (the L0: 2.2.2.2/32), R3 (the L0: 3.3.3.3/32), R4 (the L0: 4.4.4.4/32)
AS300: R5
R3 running OSPF protocol only

#R1，有一端口IP为100.1.1.1/24
#配置AS号，如R1处于AS100
[R1]bgp 100
#宣告邻接关系
[R1‐bgp‐default]peer 100.1.1.2 as‐number 200
[R1‐bgp‐default]address‐family ipv4 unicast
[R1‐bgp‐default‐ipv4]peer 100.1.1.2 enable
#R2，有一端口IP为100.1.1.2/24
#配置AS号
[R2]bgp 200
#宣告邻接关系
[R2‐bgp‐default]peer 100.1.1.1 as‐number 100
#与AS边界路由器(ABR)宣告邻接关系
[R2‐bgp‐default]peer 4.4.4.4 as‐number 200
#将源端口改为环回口
[R2‐bgp‐default]peer 4.4.4.4 connect‐interface LoopBack 0
[R2‐bgp‐default]address‐family ipv4 unicast
[R2‐bgp‐default‐ipv4]peer 100.1.1.1 enable
[R2‐bgp‐default‐ipv4]peer 4.4.4.4 enable
#修改默认路由规则，更改下一跳地址为本机
[R2‐bgp‐default‐ipv4]peer 4.4.4.4 next‐hop‐local
#R4，有一IP为100.4.4.4
[R4]bgp 200
[R4‐bgp‐default]peer 100.4.4.5 as‐number 300
[R4‐bgp‐default]peer 2.2.2.2 as‐number 200
[R4‐bgp‐default]peer 2.2.2.2 connect‐interface LoopBack 0
[R4‐bgp‐default]address‐family ipv4 unicast
[R4‐bgp‐default‐ipv4]peer 100.4.4.5 enable
[R4‐bgp‐default‐ipv4]peer 2.2.2.2 enable
[R4‐bgp‐default‐ipv4]peer 2.2.2.2 next‐hop‐local
#R5，有一IP为100.4.4.5
[R5]bgp 300
[R5‐bgp‐default]peer 100.4.4.4 as‐number 200
[R5‐bgp‐default]address‐family ipv4 unicast
[R5‐bgp‐default‐ipv4]peer 100.4.4.4 enable

BGP route reflector

Route reflectors (RR, Route Reflector) from the peer IBGP learned route reflector IBGP peer to other, similar to the OSPF DR.
R1 and R2 EBGP neighbors, peer groups R2 to use IBGP adjacency is established and the R3 / R4 / R5

[R2]bgp 200
[R2-bgp-default]group in internal
[R2-bgp-default]peer 3.3.3.3 group in
[R2-bgp-default]peer 4.4.4.4 group in
[R2-bgp-default]peer 5.5.5.5 group in

The R2 configure RR:

[R2-bgp-default-ipv4]peer in reflect-client 
[R2-bgp-default-ipv4]reflector cluster-id 2001

BGP Union

To reduce the number of connections within the sub-AS by establishing autonomous in the AS (AS private use).